If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

HJT is being Stopped/crashes

Had a machine hit my bench late this afternoon.. (hit hard and bounced into my seat )

Fired up had a look at the running processes.. found a **** load that looked out of place, some familure.. CWS, new.net

spotted one new name Snapper.exe

so restarted in safemode and did a quick HJT scan.. as it neared completion it crashed.. windows detected a problem and poped the We will close it window over top of the scan log..

restarted and tried again. same story..

spotted some thing that was definatly out of place..

I think it was in the System.ini
shell=explorer.exe; mcafee32.exe and
userint=userint.exe;userint32.exe

it was a bit hard to catch as the warning box landed right over the area I was reading.. and I couldnt do a bloody thing with HJT ..

So restarted with BartPE. and tried HJT.. the scan would run and close before you could read anything from the log..

Did a Adaware scan under BartPE..
last count had 600 items when I came back it was at the start?
did another scan.. stoped it at 450 or so items
had dyFuCa, Ist, CWS, new dot net.... forgotten the rest ..

at this point My office closed for the day.. .. quickly saved the log from adaware to the HDD.. but didnt save to my Jump-drive.

.........

I was not suprised when HJT failed in safe mode.. but I am puzzeled with it crashing under BartPE.. Has anyone seen this Issue before..
my version of HJT is 1.99.1

the machine is a 12mth old Compaq, WinXP Home..
the owners son has managed to infect the system badley enough require MOBO reset and Clean install (partition, format then recovery CD's..
The customers AV is Norton 2005.. (I point this out due to the mention of Mcafee in the system INI)

My first action will be to scavange out as many of the suspect files as possable under bart before I start any other cleanups.. (the adaware scann was set to move to recycle Bin)
then rename the mcafee32.exe file and edit the system.ini certainly checking the other entry mentioned above..

so why the failure of HJT during the scan under Bart? thoughts?

normaly Smartkiller dosent worry hjt in a BartPE scan.. while it is in my mind .. I have discounted it as most likley

"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Maybe this is the problem?...............or something with similar heuristics?

NOTE: Systems infected with the 'Ms4Hd' rootkit parasite will experience crashes in HijackThis 1.99.x since this parasite deliberately crashes programs that try to detect it.

EDIT:

Note: Beware of the Ms4Hd parasite, which will crash HijackThis when it reaches the new O23 (NT Services) section. This parasite deliberately crashes most apps that query any regkeys/files it owns, and We haven't found a way around this. For now a copy of HJT 1.98.2 (which shouldn't crash with Ms4Hd) at http://www.merijn.org/files/hijackthis1982.zip for such cases.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

did a google on this bugger.. all I have seen is reference to it crashing progs like HJT..

explains why in safemode that HJT Crashed.. but the trojan shouldnt be active when the system was booted from Bart..

I wonder if it is to do with the Remote registry tools?

hmm more research for me.. thanks Johnno..

sorry.. I am such a slow typist.. Sirdice.. yep I know.. this time it is personal.. I will give a machine a solid half hour if I am no closer.. wipe the bugger clean. I will give this one extra time.. it gets a total of 45min.. these are the jobs you can learn some serious **** from (oh and waste some serious time).. but I am not going to make a charity case out of it..my health cant afford it nor can the wallet..

save that the results of the HJT 1.99.1 still crash.. both in safe mode and BartPE.
HJT 1.98.2 has performed scans but one entry is different/missing that is the "shell=" entry (log shown below for interest..it has a **** load)

I am currently checking a couple of listings (I may zip these up for those interested)
the System.ini entries are Registry entries..

Progress Report

spent about 20mins playing with this problem.. spent my day plying with intermittant mobo problems and noisey fans..

main problem appears to have been rbot & Qhost infection.. but here is a list of the Bugger I have found thus far ( oh HJT 1.99.1 now works), but regedit, task manager and msconfig still only work in safemode..

A total of 43 malware (.. I manually delete ALL cookies and the Move the TIF, windows TEMP, user/localfiles/Temp files before getting to dambed involved..scan them later as a final check before giving the all clear) this is a count of Malware involved, not the total number of files.., after a automated cleaning by Adaware under BART.. AboutBuster, and a handfull of scripted tools were a monstrous help.

It may have been a financial waste of time.. but have played a few new tools as well as learnt a skill or 2 that I hope will be usefull more often.. (I hope)

I hope more to come..

"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr